SOHO Pharming Hackers Hijack 300,000 Routers with MitM Attacks

Security researchers from Team Cymru have traced a series of man-in-the-middle (MitM) attacks that have affected 300,000 “small office and home office” (SOHO) routers to two British IP addresses, effectively redirecting traffic to servers controlled by the attackers.

“In January 2014, Team Cymru’s Enterprise Intelligence Services began investigating a SOHO pharming campaign that had overwritten router DNS [domain name system] settings in central Europe,” a white paper from the researchers stated.

Routers are an ideal target for attackers because they can be used to eavesdrop on traffic sent to and from nearby enterprise access points. After an attacker has gained control of a router, they are able to monitor, redirect, block or otherwise tamper with a wide range of online activities.

“To date, we have identified 300,000 devices, predominantly in Europe and Asia, which we believe have been compromised as part of this campaign, one of which dates back to at least mid-December 2013,” the researchers continued.

Thus far, the MitM operation has not been seen to be redirecting users to malicious websites or been used to pilfer sensitive data in transit, so some experts believe the researchers may have stumbled on to a hacktivist botnet that is being built for other purposes, such as for use in distributed denial of service (DDoS) attacks.

“Attempts to log in to local banking websites in affected countries, and to download software updates from Adobe and others all appeared to function normally, though many requests resolved noticeably slowly or failed to complete. Websites tested also appeared to display normal advertising using these DNS servers.”

Tripwire’s Vulnerability and Exposure Research Team (VERT) has analyzed the security provided by the most popular wireless routers used in many small and home offices and found that 80 percent of Amazon’s top 25 best-selling SOHO wireless router models have security vulnerabilities.

Of these vulnerable models, 34 percent have publicly documented exploits that make it relatively simple for attackers to craft either highly targeted attacks or general attacks targeting every vulnerable system they can find.

Key study findings include:

30 percent of IT professionals and 46 percent of employees do not change the default administrator password on their wireless routers. With access to the configuration interface, attackers can easily compromise the device.

55 percent of IT professionals and 85 percent of employees do not change the default Internet Protocol (IP) address on their wireless routers, making Cross-Site Request Forgery (CSRF) attacks much easier for attackers.

43 percent of IT professionals and 54 percent of employees use Wi-Fi Protected Setup (WPS) – an insecure standard that makes it simple for attackers to discover a router’s encryption passphrase, regardless of its complexity or strength.

52 percent of IT professionals and 59 percent of employees have not updated the firmware on their routers to the latest version, so even when security updates from router vendors are available, most users do not receive the additional protection.